AES - PowerPoint PPT Presentation

About This Presentation
Title:

AES

Description:

Origins clear a replacement for DES was needed Key size is too small The variants are just patches can use Triple-DES but slow, has small blocks US NIST issued ... – PowerPoint PPT presentation

Number of Views:198
Avg rating:3.0/5.0
Slides: 27
Provided by: Mariu189
Learn more at: http://orion.towson.edu
Category:
Tags: aes

less

Transcript and Presenter's Notes

Title: AES


1

2
Origins
  • clear a replacement for DES was needed
  • Key size is too small
  • The variants are just patches
  • can use Triple-DES but slow, has small blocks
  • US NIST issued call for ciphers in 1997
  • 15 candidates accepted in Jun 98
  • 5 were shortlisted in Aug-99

3
AES Competition Requirements
  • private key symmetric block cipher
  • 128-bit data, 128/192/256-bit keys
  • stronger faster than Triple-DES
  • provide full specification design details
  • both C Java implementations
  • NIST have released all submissions unclassified
    analyses

4
AES Evaluation Criteria
  • initial criteria
  • security effort for practical cryptanalysis
  • cost in terms of computational efficiency
  • algorithm implementation characteristics
  • final criteria
  • general security
  • ease of software hardware implementation
  • implementation attacks
  • flexibility (in en/decrypt, keying, other factors)

5
AES Shortlist
  • after testing and evaluation, shortlist in
    Aug-99
  • MARS (IBM) - complex, fast, high security margin
  • RC6 (USA) - v. simple, v. fast, low security
    margin
  • Rijndael (Belgium) - clean, fast, good security
    margin
  • Serpent (Euro) - slow, clean, v. high security
    margin
  • Twofish (USA) - complex, v. fast, high security
    margin
  • then subject to further analysis comment
  • saw contrast between algorithms with
  • few complex rounds versus many simple rounds
  • Refined versions of existing ciphers versus new
    proposals

6
The AES Cipher - Rijndael
  • Rijndael was selected as the AES in Oct-2000
  • issued as FIPS PUB 197 standard in Nov-2001
  • designed by Joan Rijmen and VincentDaemen in
    Belgium
  • has 128/192/256 bit keys, 128 bit data
  • an iterative rather than Feistel cipher
  • processes data as block of 4 columns of 4 bytes
  • operates on entire data block in every round
  • designed to be
  • resistant against known attacks
  • speed and code compactness on many CPUs
  • design simplicity

7
Rijndael
  • data block viewed as 4-by-4 table of bytes
  • Such a table is called the current state
  • key is expanded to array of words
  • has 10 rounds in which state the following
    transformations (called layers)
  • BS- byte substitution (1 S-box used on every
    byte)
  • SR- shift rows (permute bytes between
    groups/columns)
  • MC- mix columns (uses matrix multiplication in
    GF(256))
  • ARK- add round key (XOR state with round key)
  • First and last round are a little different

8
Rijndael
9
Byte Substitution
  • a simple substitution of each byte
  • uses one S-box of 16x16 bytes containing a
    permutation of all 256 8-bit values
  • each byte of state is replaced by byte indexed by
    row (left 4-bits) column (right 4-bits)
  • eg. byte 95 is replaced by byte in row 9 column
    5
  • which has value 2A
  • S-box constructed using defined transformation of
    values in GF(256)
  • S-box constructed using a simple math formula
    using a non-linear function 1/x.
  • Construction of S-Box (on board)

10
Byte Substitution
11
Shift Rows
  • a circular byte shift in each each
  • 1st row is unchanged
  • 2nd row does 1 byte circular shift to left
  • 3rd row does 2 byte circular shift to left
  • 4th row does 3 byte circular shift to left
  • decrypt inverts using shifts to right
  • since state is processed by columns, this step
    permutes bytes between the columns

12
Shift Rows
13
Mix Columns
  • each column is processed separately
  • each byte is replaced by a value dependent on all
    4 bytes in the column
  • effectively a matrix multiplication in GF(28)
    using prime poly m(x) x8x4x3x1

14
Mix Columns
15
Mix Columns
  • can express each col of the new state as 4
    equations
  • One equation to derive each new byte in col
  • decryption requires use of inverse matrix
  • with larger coefficients, hence a little harder
  • have an alternate characterization
  • each column a 4-term polynomial
  • with coefficients in GF(28)
  • and polynomials multiplied modulo (x41)

16
Add Round Key
  • XOR state with 128-bits of the round key
  • again processed by column (though effectively a
    series of byte operations)
  • inverse for decryption identical
  • since XOR own inverse, with reversed keys
  • designed to be as simple as possible

17
Add Round Key
18
AES Round
19
AES Key Scheduling
  • takes 128-bit (16-byte) key and expands into
    array of 44 32-bit words
  • see the equations (on board)

20
AES Key Expansion
21
Key Expansion Rationale
  • designed to resist known attacks
  • design criteria included
  • knowing part key insufficient to find many more
  • invertible transformation
  • fast on wide range of CPUs
  • use round constants to break symmetry
  • diffuse key bits into round keys
  • enough non-linearity to hinder analysis
  • simplicity of description

22
AES Decryption
  • AES decryption is not identical to encryption
    since steps done in reverse
  • but can define an equivalent inverse cipher with
    steps as for encryption
  • but using inverses of each step
  • with a different key schedule
  • works since result is unchanged when
  • swap byte substitution shift rows
  • swap mix columns add (tweaked) round key

23
AES Decryption
24
Implementation Aspects
  • can efficiently implement on 8-bit CPU
  • byte substitution works on bytes using a table of
    256 entries
  • shift rows is simple byte shift
  • add round key works on byte XORs
  • mix columns requires matrix multiply in GF(28)
    which works on byte values, can be simplified to
    use table lookups byte XORs

25
AES- Design considerations
  • Not a Feistel scheme so diffusion is faster, but
    its a new scheme, so less analyzed
  • S-box mathematically construction, no debate
    based on the x ? x(-1) transformation
  • Shift row- to resist two recent attacke
    truncated differential and the square attack
  • Key scheduling nonlinear (uses the S-box)
    mixing of the key bits
  • 10 rounds there are attacks better than
    brute-search for Rijndael-with-7-rounds, so extra
    3 rounds for safety.

26
Implementation Aspects
  • Our description assumed 8-bit operations
  • AES can be efficiently implemented on 32-bit CPU
  • redefine steps to use 32-bit word operations
  • can precompute some tables
  • then each column in each round can be computed
    using table lookups 4 XORs
  • at a cost of 4Kb to store tables
  • very efficient
  • implementation was a key factor in its selection
    as the AES cipher
  • AES animation http//www.cs.bc.edu/straubin/cs38
    1-05/blockciphers/rijndael_ingles2004.swf
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "AES" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!